If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Reverse DNS mapping delegation

Hello, I need your lights in an issue that troubles me.

I maintain a dedicated server at servermatrix, in a subnet of 5 internet IPs (255.255.255.248). Recently I decided to host my domains in my own dns server. I also thought to set my reverse dns zone, and request the authorative servers for this C class (belonging to servermatrix/theplanet) to delegate authority for my subnet at my DNS server. Anyway, I believed it was obvious that my arpa DNS zone wouldn't affect anything since no other internet DNS server reffered to it as the authorative DNS for that C class -and to my understanding reverse dns mappings are delegated in the same hierarchical way as all the other DNS records, using the ARPA naming scheme. For that reason I didn't bother setting my zone to handle only my small subnet's reverse mapping, since it is actually a bit complicated from what I saw, involving a practical trick of using CNAME aliases, as the minimum de-facto supported arpa zone is a C class.

The strange thing that happened, is that 2 days after I set up this, the reverse mapping for the whole C class was ruined!! Meaning that no reverse DNS resolving is possible for an IP at this subnet. I checked the whole route of authority for this C class, beginning from the ARPA rootservers, and the authorative servers are still the proper ones, those of servermatrix (dns1.theplanet.com & dns2.theplanet.com). BUT when I try to query them for the anwser, they simply do not reply. They will reply to ANY other question, either with an answer for the zones of their authority or will return the authorative DNS server for all the rest. But they will NOT respond AT ALL for querries of my particular class.

&lt;Here I query for an ip that doesn't belong to their authorative zone. Naturally, they respond with something (the authorative DNS server at this case -they propably querried the nameservers at the resolv.conf or even from the root.hints, doesn't matter- ).&gt;

&lt;Finally, here I query for my server's IP reverse mapping record, which belongs to their authorative zone. Even if it wasn't, the server SHOULD respond with SOMETHING. But you see it does not. &gt;

At this point, I need to mention that even if from some strange occurence my own DNS server acted as the authorative, reverse dns mapping wouldn't work as I had done a small mistake that rendered the whole zone file invalid. So I have no way to know right now if the DNS servers all around would use my DNS as the authorative, or simply everything is f**ked up. I only know that authority has not been delegated to it from any other (parent authorative) DNS server, and thus that should be impossible.

Putting aside my anxity -that I have not reverse DNS service on my own, so as a result my mailserver mailfunctions and I have problems pointing an important domain to my DNS *(I'll explain that later) and that I may have caused many other people the same problems-,

2) I am totally misinformed about DNS, what happened is a natural result of my ignorance -I don't think so, though, since reverse DNS in the whole internet would collapse all the time if it was so-

3) Something out of specifications has happened, in example as a result of servermatrix hostmaster's misconfiguration, that allowed some sort of -unintended- spoofing from my part (though I see not how would that happen!).

In any case, things are screwed for me and for many other people

The other problem that I mentioned before, would be completely explained if it is somewhere on the DNS RFCs or the .org TLD rootserver's practice that they will not delegate authority for a domain to a DNS server that has no reverse dns mapping (that would be natural since rfc demands that every host has a reverse dns). Does anyone know? -I don't feel like looking for this right now-

I need to hear your thoughts, both because I am desperate to solve the problem asap and from natural curiosity. Thanks in advance

For that reason I didn't bother setting my zone to handle only my small subnet's reverse mapping, since it is actually a bit complicated from what I saw, involving a practical trick of using CNAME aliases, as the minimum de-facto supported arpa zone is a C class.

Then what have you done here?

and request the authorative servers for this C class (belonging to servermatrix/theplanet) to delegate authority for my subnet at my DNS server.

I think that the two statements above may be conflicting, (though I might not be totally comprehending the problem). It seems to me that you "requested" the the authority for your 8(?) IP's be passed from theplanet.com top your name servers. Then you _seem_ to be saying that, because of an issue of complexity, you are really trying to be the authority for the entire zone for the C Class, (but that's per the RFC, "minimum de facto supported arpa zone").

The result would appear to be that you have wrestled authority from theplanet.com for the reverse DNS for the entire zone but then, by the use of a cname, you have messed up the entire zone.

While the answer to the problem may be of interest it would seem that you are affecting others within the C Class. Since you only have 5 addresses I would consider returning authority of the reverse zone to theplanet.com and have them set up your 5 RDNS entries and have done with it......

If you are using windows for the DNS servers can you see anything odd in the DNS Event log, (or anywhere else if you are using *nix)?

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

For that reason I didn't bother setting my zone to handle only my small subnet's reverse mapping, since it is actually a bit complicated from what I saw, involving a practical trick of using CNAME aliases, as the minimum de-facto supported arpa zone is a C class.

Then what have you done here?

I have added a zone for "0.0.127.in-addr.arpa" (replace 0.0.127 with my IP's network part of a class C, reversed the same way). I was certain (and still am) that since authority is delegated hierarchically, beginning from the ARPA rootservers, which for that particular zone delegate authority to theplanet's DNS, no matter what, they would be the ones queried from all the other slave dns, so all the ISPs' dns would point to them. To my understanding, is absolutely the same as setting a DNS authorative server in a DSL line, for a zone containing i.e. antionline.org, and without any other action from your part see that 1-2 days later antionline.org is OFF. Which obviously will not happen!

I think that the two statements above may be conflicting

I was planning to ask the servers of theplanet to delegate authority for my small subnet to my dns (so that they would have to mess with cutting an arpa zone for that small subnet, since it is a bit complicated ), as that should be the only way I could have the reverse mapping authority for my IPs. Still I didn't ask as I hit that problem before I make the contact. I was intending to ask theplanet if my zone set up would work, but I didn't think that would be necessary before I ask for delegation, for the reason that I mentoned above.

The result would appear to be that you have wrestled authority from theplanet.com for the reverse DNS for the entire zone but then, by the use of a cname, you have messed up the entire zone.

I don't think that I have (or could) wrestle authority without been given it from one of the parrent authorative DNS servers or doing something nasty. Also, I didn't use the solution involving cnames to handle my arpa zone (I expected theplanet to use it), and that's why I followed the easy solution of making a zone for the whole C class.

I have deleted the "suspicious" zone since yesterday, still nothing has changed. I intend to wait one more day before I do as you suggest.

But if what you say is true that, per the RFC, the minimum unit for an RDNS zone is a C-Class then theplanet wouldn't be able to break out your subnet on it's own unless they gave your responsibility for the entire zone - which is something they probably wouldn't do.

[Still I didn't ask as I hit that problem before I make the contact]

I dunno... It seems to me like you made changes but I am having difficulty understanding what you did exactly. How did you assume authority for the RDNS zone from theplanet? They would have to change their DNS to allow you to assume authority which I don't think they would do per my para above.

Questions:

Have you contacted theplanet and had them release authority for the RDNS zone for that C-Class to you?

If you did, did they agree to do it and did they confirm the appropriate changes had been made?

What changes did you specifically make to your DNS to make it authoritative for RDNS in that C-Class?

[Edit]

Ahh.... I see the new post....

It seems like they did make changes but they sent the authority to NS2 which sends the authority back to NS1. It's definitely screwed up and certainly doesn't pass authority to you.

The answers to the above questions will still be useful in helping me understand the exact situation. The trouble with DNS is that is distributed thus meaning lots of people have to all have their poop in one pile.....

[/Edit]

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

But if what you say is true that, per the RFC, the minimum unit for an RDNS zone is a C-Class then theplanet wouldn't be able to break out your subnet on it's own unless they gave your responsibility for the entire zone - which is something they probably wouldn't do.

Well, from what I've read, normally "only four levels of the in-addr.arpa portion of the name space were used--one level per octet of an IP address". I didn't speak about RFC, only for "de facto", meaning the supported configuration implementation of the named daemon. Still there is a hack that is documented in RFC 2317 that defines the use a configuration set in a zone file, that would yield the wanted result. That is in practice nothing more than a hack widely implemented (I've seen many ISPs that use it for this purpose, as it is a common thing to ask for the reverse mapping authority delegation of your IPs).

Questions:

Have you contacted theplanet and had them release authority for the RDNS zone for that C-Class to you?

If you did, did they agree to do it and did they confirm the appropriate changes had been made?

What changes did you specifically make to your DNS to make it authoritative for RDNS in that C-Class?

- No, I didn't make any contact, else I would be contacting them again instead of being confused
- I did the following very simple thing:

The configuration is valid and works correctly (well it maybe wouldn't work properly in practice as I would not be authorative for the whole C class), but it shouldn't screw anything either! The problem lies somewhere else I believe, since the fact is that ThePlanet didn't make any changes to my acknowledge!

If it worked correctly before, (I'm assuming it was), and you didn't contact them they they probably wouldn't have changed anything. That being the case it should have continued to work. But it doesn't and we can clearly see their DNS servers looping the track to the Authoritative DNS server. I guess it's remotely possible that by coincidence they were messing with their DNS at the same time you were and they have messed it up..... Coincidences do happen and they are a right pain when they do because it's one of those unknown's we all hate.....

However, when I say it would continue to work, it still wouldn't propogate down to your server until they relinquished authority over the zone. Since you haven't asked them to then the authority would remain with them no matter what you did at your end.

I would call them and ask them to fix the looping issue first and then broach the subject of gaining authority over your subnets RDNS while they are looking at the looping issue. Right now you will never get it to work because of their looping issue.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

So you believe that what happens has nothing to do with what I did, right? I would believe so as well, but I find it extremely weird that the looping (or whatever) occurred right after I set up my DNS server for this rdns zone, especially because the problem regards ONLY my class! I mean, I have tested almost a dozen of ThePlanet subnets, and rdns is ruined only for my class!

Of course I will do as you suggest (doesn't seem to have any other option anyway). I am only wondering if I need to mention all these things to ServerMatrix..

Thanks for your help, if there is something interesting in their reply I'll post it

I can't see how what you did affected their servers unless they had already delegated authority for the RDNS zones to you and set their servers up as secondary zones to pull from your DNS server. As I have said, I can't see them relinquishing authority to you with such a small subnet of the whole and allowing you to manage RDNS for the majority of the C-Class which isn't yours. So, no.... It can't be you.

I'm betting on a coincidence to be honest, but yes, if you find out exactly what happened I would be very interested in hearing how it worked.... or didn't in this case....

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides